93f5fa4893007b17277433e909b9c8a3cd668cabf3cfa7642c3ca180e769a657

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20231201-en
resource tags

arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system
submitted
05-12-2023 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22379be846f2856c90a47fda13776e5b.exe
Size

37KB
MD5

22379be846f2856c90a47fda13776e5b
SHA1

1562ca8e25002572bfa3debb2166186fc6c15757
SHA256

93f5fa4893007b17277433e909b9c8a3cd668cabf3cfa7642c3ca180e769a657
SHA512

f19476e614d50ec1c01aa29c6b7681af47f2a0a57a55a8c19f9e53ba907f8c324b669f475780b3507dd849195d358680c72a5f980684a021097b8cd3fc5b8dde
SSDEEP

384:SQmOq0IiejvCVLO309QmykrtG+dA+VCwvOSifrAF+rMRTyN/0L+EcoinblneHQMX:SGLdGdkrgYUwWS0rM+rMRa8NuNmt

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

2040 netsh.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
2040	netsh.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

22379be846f2856c90a47fda13776e5b.exe

description	pid	process
Token: SeDebugPrivilege	2468	22379be846f2856c90a47fda13776e5b.exe
Token: 33	2468	22379be846f2856c90a47fda13776e5b.exe
Token: SeIncBasePriorityPrivilege	2468	22379be846f2856c90a47fda13776e5b.exe
Token: 33	2468	22379be846f2856c90a47fda13776e5b.exe
Token: SeIncBasePriorityPrivilege	2468	22379be846f2856c90a47fda13776e5b.exe
Token: 33	2468	22379be846f2856c90a47fda13776e5b.exe
Token: SeIncBasePriorityPrivilege	2468	22379be846f2856c90a47fda13776e5b.exe
Token: 33	2468	22379be846f2856c90a47fda13776e5b.exe
Token: SeIncBasePriorityPrivilege	2468	22379be846f2856c90a47fda13776e5b.exe
Token: 33	2468	22379be846f2856c90a47fda13776e5b.exe
Token: SeIncBasePriorityPrivilege	2468	22379be846f2856c90a47fda13776e5b.exe
Token: 33	2468	22379be846f2856c90a47fda13776e5b.exe
Token: SeIncBasePriorityPrivilege	2468	22379be846f2856c90a47fda13776e5b.exe
Token: 33	2468	22379be846f2856c90a47fda13776e5b.exe
Token: SeIncBasePriorityPrivilege	2468	22379be846f2856c90a47fda13776e5b.exe
Token: 33	2468	22379be846f2856c90a47fda13776e5b.exe
Token: SeIncBasePriorityPrivilege	2468	22379be846f2856c90a47fda13776e5b.exe
Token: 33	2468	22379be846f2856c90a47fda13776e5b.exe
Token: SeIncBasePriorityPrivilege	2468	22379be846f2856c90a47fda13776e5b.exe
Token: 33	2468	22379be846f2856c90a47fda13776e5b.exe
Token: SeIncBasePriorityPrivilege	2468	22379be846f2856c90a47fda13776e5b.exe
Token: 33	2468	22379be846f2856c90a47fda13776e5b.exe
Token: SeIncBasePriorityPrivilege	2468	22379be846f2856c90a47fda13776e5b.exe
Token: 33	2468	22379be846f2856c90a47fda13776e5b.exe
Token: SeIncBasePriorityPrivilege	2468	22379be846f2856c90a47fda13776e5b.exe
Token: 33	2468	22379be846f2856c90a47fda13776e5b.exe
Token: SeIncBasePriorityPrivilege	2468	22379be846f2856c90a47fda13776e5b.exe
Token: 33	2468	22379be846f2856c90a47fda13776e5b.exe
Token: SeIncBasePriorityPrivilege	2468	22379be846f2856c90a47fda13776e5b.exe
Token: 33	2468	22379be846f2856c90a47fda13776e5b.exe
Token: SeIncBasePriorityPrivilege	2468	22379be846f2856c90a47fda13776e5b.exe
Token: 33	2468	22379be846f2856c90a47fda13776e5b.exe
Token: SeIncBasePriorityPrivilege	2468	22379be846f2856c90a47fda13776e5b.exe
Token: 33	2468	22379be846f2856c90a47fda13776e5b.exe
Token: SeIncBasePriorityPrivilege	2468	22379be846f2856c90a47fda13776e5b.exe
Token: 33	2468	22379be846f2856c90a47fda13776e5b.exe
Token: SeIncBasePriorityPrivilege	2468	22379be846f2856c90a47fda13776e5b.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

22379be846f2856c90a47fda13776e5b.exe

description	pid	process	target process
PID 2468 wrote to memory of 2040	2468	22379be846f2856c90a47fda13776e5b.exe	netsh.exe
PID 2468 wrote to memory of 2040	2468	22379be846f2856c90a47fda13776e5b.exe	netsh.exe
PID 2468 wrote to memory of 2040	2468	22379be846f2856c90a47fda13776e5b.exe	netsh.exe
PID 2468 wrote to memory of 2040	2468	22379be846f2856c90a47fda13776e5b.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\22379be846f2856c90a47fda13776e5b.exe
"C:\Users\Admin\AppData\Local\Temp\22379be846f2856c90a47fda13776e5b.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\22379be846f2856c90a47fda13776e5b.exe" "22379be846f2856c90a47fda13776e5b.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2468-0-0x0000000074230000-0x00000000747DB000-memory.dmp

Filesize
5.7MB

Download
memory/2468-1-0x0000000074230000-0x00000000747DB000-memory.dmp

Filesize
5.7MB

Download
memory/2468-2-0x0000000001EE0000-0x0000000001F20000-memory.dmp

Filesize
256KB

Download
memory/2468-3-0x0000000074230000-0x00000000747DB000-memory.dmp

Filesize
5.7MB

Download
memory/2468-4-0x0000000074230000-0x00000000747DB000-memory.dmp

Filesize
5.7MB

Download
memory/2468-5-0x0000000001EE0000-0x0000000001F20000-memory.dmp

Filesize
256KB

Download